In what appears to be the prelude to a massive identity theft scam, fake ‘Class of 2013’ groups have been opened at Facebook, luring students at a long list of U.S. universities to sign up. The administrators of those groups could potentially gather a lot of personal information on class members.

Brad Ward, an admissions officer at Butler University, broke the story on his blog late last week, after discovering that the same three ‘new students’ were behind the brand new Facebook sites for 2009 freshman classes at dozens of U.S. universities. And it turned out they weren’t really ‘new students’ at any of the schools listed.

“Think of it:” Ward theorizes. “Sitting back for 8-10 months, (even a few years), maybe friending everyone and posing as an incoming student. Think of the data collection. The opportunities down the road to push affiliate links. The opportunity to appear to be an ‘Admin’ of Your School Class of 2013. The chance to message alumni down the road. The list of possibilities goes on and on and on.”

Ward called on fellow University admissions adminmistrators to set up official class of 2013 Facebok sites and promote them aggressively to their new students. Ward also suggested that universities may have toi seek Facebook’s help in taking down the bogus class groups.

As for students… The usual cautions when dealing with online communities apply. Most importantly: Don’t give out personal information online!

In what at first seems like a replay of complaints in North America and Europe against Google’s controversial Street Views mapping service, a Japanese civil rights group is demanding that Google to stop the program in that country.

Street Views currently allows Google Earth users to take a virtual drive down any street in any of 50 major U.S. and European cities, accessing 360-degree views of the streetscapes.

Google has come under fire from individuals in North America and Europe whose faces appeared in Street View images. In addition the U.S. military has told Google to remove certain Street View images that pose a security threat to military installations.

Now, the Campaign Against Surveillance Society (CASS), a Japanese group headed by Yasuhiko Tajima, a professor of constitutional law at Sophia University in Tokyo, is demanding the Google stop providing Street View images of Japanese cities and delete all images of Japanese streets saved to date.

“We strongly suspect that what Google has been doing deeply violates a basic right that humans have,” Tajima told Reuters new service. The CASS is described as a group composed of Japanese university professors and lawyers.

Stay tuned…

You’re probably familiar with iPod accessories such as fashion slipcases, custom skins and docking stations. But, now, there’s a new portable device that’s perfect for holiday party-goers.

The iBreath from David Steele Industries turns any current-model iPod (except Nanos) or iPhone into a convenient pocket breathalizer. The device is totally self-sufficient, with its own mini LCD readout screen, requiring only power from the iPod or iPhone. The iBreath breathalyzer also comes with a 12V car-power adapter cord (if you don’t have an iPod or iPhone) and a USB cable.

You just plug the iBreath into the iPod or iPhone’s base socket and exhale into the ‘blow wand’ for a minimum of five seconds. A few seconds later, you’ll get a digital readout of your blood alcohol content. If you blow over your local legal limit, you can set a timer to remind you to try again, anywhere from one minute to eight hours later.

The international anti-DUI organization Mothers Against Drunk Driving (MADD) initially criticised the iBreath on the grounds that it might be used at teenage drinking parties to see who could run up the highest blood alcohol content. However, the device does not display readings above 0.100 percent blood alcohol, making such competitions pointless.

The iBreath is just (US)$79 direct from the manufacturer, whose Web site suggests it, “makes a great gift!”

The VideoMate Vista U890F from Compro is an analog TV and FM radio receiver in a USB 2.0 stick form factor. It includes a flexible wire antenna, a Microsoft-certified Vista/MCE remote control, a composite/s-video input cable, and a USB extension cable for those times when plugging the approximately 3 1/2 in. stick directly into your PC isn’t convenient. XP and Vista (32- and 64-bit) drivers and software are included.

I tested the U890F on a notebook running Windows Vista Ultimate 64-bit. The install was painless, and I soon had live local TV on my Vista sidebar. In fact, second only to the clock, it is the most useful Vista sidebar gadget I’ve seen. I was able to put video on my desktop and leverage the power of my notebook to pause and record video. The FM tuner also worked well.

The antenna is a flexible wire dipole similar to that included with most home stereos. From a portability point of view it’s a good choice but it is important to keep in mind that the antenna is essential to reception, and this one is not self supporting. Home users will want to fasten it to a wall, while travelers will want to carry a bit of tape to avoid having to drape it over objects.

My only reservation is that the U890F is an analog TV tuner, and analog television is being phased out in some countries. For example, in the USA, full power TV stations will be exclusively digital starting February 17, 2009, but the Canadian deadline is not until August 31, 2011.

The VideoMate Vista U890F retails for approximately (C)$60.

TLP News Nugget:

From: The Canadian Wireless Telecommunications Association —

“In the third quarter of the year, Canadians sent more than 5.2 billion person-to-person text messages, bringing the total number of text messages in the first nine months of the year to more than 14.1 billion. Canadians are now sending approximately 64 million text messages per day. Text messaging volumes have more than doubled each year since inter-carrier text messaging was introduced in Canada in the spring of 2002.”

All the latest Canadian telecommunications industry news is available online at the CWTA Web site.

From: Science Daily —

Alternatives to the common incandescent light bulb are all the rage these days. Some folks are paying several times more per bulb than incandescents to use them but many still are not — in spite of the fact that experts insist the more-efficient, longer-lasting alternative bulbs offer an overall saving when compared to the cost of incandescents and the power to run them.

Some jurisdictions are pushing the switch to more-efficient lighting to save projected massive amounts of power in the future, enacting legislation to outlaw inefficient incandescents in the near future.

But how great is the potential for long term energy savings from new lighting technologies?

A typical screw-in (direct replacement) LED array light bulb.

As Science Daily reports: “If all of the world’s light bulbs were replaced with energy-efficient LEDs [light-emitting diode bulbs] for a period of ten years, researchers say it would reduce global oil consumption by 962 million barrels, reduce the need for 280 global power plants, reduce carbon dioxide emissions by 10.68 gigatons, and ultimately result in financial savings of $1.83 trillion.”

The potential benefits of so-called ‘smart lighting’ go far beyond saving energy and reducing pollution, though:

“Possible smart lighting applications include rapid biological cell identification, interactive roadways, boosting plant growth, and better supporting human circadian rhythms to reduce an individual’s dependency on sleep-inducing drugs or reduce the risk of certain types of cancer.”

LEDs are the cleanest and most energy efficient of a number of alternative light bulbs now available. The most popular energy savers for home ans business currently are ‘compact fluorescent’ gas-discharge bulbs.

Technically, it’s not really “in the World”. It’s the new human waste elimination appliance aboard the International Space Station.

It’s a technical marvel and, with a price tag of (US)$19 million, it should be operating flawlessly. And it would be, if the crew would use it.

It’s a classic case of high-tech aspirations falling prey to low-tech situations: People insist on privacy.

The problem? The folding-curtain door for the “facility” was scheduled to come up to the station on a future supply rocket. And the crew has decided that, until there’s no blush, there’ll be no flush.

The U.S. National Aeronautics and Space Administration (NASA) has announced it will move up the curtain’s priority on the Space Station shipping manifest.

The Russian-made space toilet was delivered and installed last month as part of a major remodel and expansion of the Space Station in preparation for the planned doubling of it’s crew complement this coming year.

So… You’re an aspiring killer Web app developer or you’re thinking of moving some systems to the cloud? Here are some of the security issues you need to consider.

Application Security

To begin, you need to build security into your application just like you would if you were running it on your own hardware. Many mistakes are made in the areas of user authentication and input validation.

Writing code to authenticate users is about as glamourless as it gets. So, my first advice to developers is to try and avoid doing it yourself. Where possible, use an existing system that already does the work for you. If you’re going to write your own, you really need to do some research. In summary, you need to address issues such as password complexity rules, aging and resets. Passwords should never be stored in the clear and it should never be possible for a user or administrator to view a password. Upon entry, passwords should immediately be transformed using a secure one-way function. In addition, you need to consider delay and lockout mechanisms for invalid authentication attempts and ensure that your application does not provide insight into why an authentication failed.

Failing to properly validate input is a fatal mistake, often leading to buffer overflows, stack smashing, and SQL injection. All data arriving at the application should be assumed to be hostile. Attackers will manipulate input fields, change hidden form fields in HTML documents and do all sorts of other unexpected things in an attempt to break your application.

Network Security

In your office or data centre you have control of the network. You can design multiple DMZs to separate data of different sensitivities and to create defense in depth. In the cloud, you loose much of the control you had over the physical network topography, making it much more important that every computer is capable of defending itself. If you’re designing for the cloud, every machine should have its own firewall and you should seriously consider encrypting all traffic between your machines in the cloud. Unless you can clearly demonstrate otherwise, you should assume that an attacker can directly probe each of your machines. And remember, not all hostile traffic will come from the Internet. A hacker may be renting computer time from the same vendor.

Physical Security

A related issue is that in the cloud you no longer have control over physical security. However, for smaller business, this may not be a bad thing. Amazon, for example, likely has much better physical security at their data centre than your small businesses would have. But this is one area where you might want to carefully consider your options, including encrypting all sensitive data to ensure it is protected in the event of a physical security incident.

Backups

One of the reasons we look to the large service providers is that they are often capable of providing very attractive levels of data integrity and availability, including backups. However, in the event of a natural disaster, fire, bankruptcy or contract dispute, you do not want to find yourself unable to access critical data such as a customer or subscriber list. You should therefore consider backing up your data (or at least the most important subsets of it) either to your own office or to another unaffiliated provider. Otherwise you are completely at the mercy of your cloud provider, which could be a financially perilous place to be.

Availability

A high level of availability can be achieved in cloud computing, but it takes some work. How much work depends on the cloud provider. For example, Amazon offers the ability to run in different ‘zones’, but you still need to architect your application to take advantage of it. Since cloud providers are heavy users of virtualization technologies, it is critical that you understand how to ensure that your ‘redundant’ virtual computers are not actually running on the same physical computer.

Jurisdictional Issues

Storing data in the cloud can result in complicated or unfavorable jurisdictional issues. For example, the laws in some jurisdictions make it very easy for law enforcement to obtain data without adequate judicial oversight and some cloud providers may not have any interest in contesting access requests, even when the requests may be unlawful. It is critical to understand where one’s data may be stored and to determine if additional security controls, like data encryption, are required to protect it. Some providers offer data storage in different countries to help resolve these issues and comply with applicable privacy legislation.

A Final Thought

If you just want to play in the cloud, but all means do so. But if you’re developing a serious application, or dealing with personal or corporate information, consider some expert security advice early in the design process. In many cases a security professional can help you build a secure system in the first place and save you a lot of money, time and frustration.

Voicemail users, beware!

A Winnipeg, Canada, computer repair shop may be stuck with a (C)$52,359.59 long distance phone bill run up by a hacker who made hundreds of calls to Bulgaria between November 21 and December 9, 2008 on the company line. Shop proprietor Alan Davidson says his average monthly Manitoba Telecom System (MTS) long distance bill is around (C)$15.

As CTV News reported late last week, The hacker apparently gained access to the phone line of HUB Computer Solutions by calling the number and getting into the company’s carrier-provided voicemail system. Once the user’s voicemail administration password was cracked, the crook could dial out on the line to any destination, to his heart’s content.

Davidson says he’s talked to other small business owners who have been victimized in a similar fashion. However the telephone company says such incidents are rare.

MTS is insisting that Davidson pay the huge phone bill — or, at least, some part of it — but he’s resisting. He says he may have to lay off an employee or take other extreme mmeasures to satisfy MTS’s demands.

MTS says it’s agreed to negotiate the situation, “to come up with something that’s mutually agreeable, and to resolve the issue.“ However, Davidson said he had not received a reduced payment proposal from the telco as of last Friday.

Security experts say about all you can do to protect your voicemail system from abuse by hackers is to choose a really strong (hard to crack) administration password.

Once the king of pop-shot photography and, for decades, a mainstay of professional photographers who used instant prints to check their studio lighting set-ups, Polaroid Corp. has filed for Chapter 11 bankruptcy protection.

The Minnesota-based company is seeking protection from creditors while it restructures.

As Polaroid CEO Mary L. Jeffries told CNN, “Our operations are strong and during this process Polaroid will ship products to our retail partners, work with our suppliers and contract manufacturers to fulfill retailer demand…”

Polaroid’s fortunes, as the name that became synonymous with instant gratification for the photo-snapping masses back in the 1960s and 70s, waned rapidly as the popularity of digital cameras exploded over the past five years.

Earlier this year, Polaroid announced it would phase out its professional products, sending traditional artistic and commercial photographers into a panic to go digital.

Polaroid has tried — with only limited success thus far — to adapt itself to the digial age, offering a family of digital imaging products including cameras, photo printers, digital photo frames, scrapbooking software and mass storage systems.

From: Yahoo! Tech —

A new study of spam ‘demographics’ reveals that the amount of personalized spam is increasing alarmingly.

Moreover, these new spam and phishing messages are targeted to specific recipients, according to their interests and previous buying habits.

It’s the difference between snail mail addressed to ‘Occupant’ and unsolicited pitches that come addressed you — because somebody you did business with sold a mailing list with your name on it to a third party.

As Yahoo! tech reports, “A new study by Cisco Systems Inc. found an alarming increase in the amount of personalized spam, which online identity thieves create using stolen lists of e-mail addresses or other poached data about their victims, such as where they went to school or which bank they use.”

What’s more disturbing,spear phishing messages are less likely to be flagged as spam by spam filters.

“They’re sent in smaller chunks, and often come from accounts the criminals have set up at reputable Web-based e-mail services. Some of the messages are expertly crafted, linking to beautifully designed Web sites that are bogus or immediately install malicious programs.”

Cisco also reports that spam is increasing, overall, estimating that almost 2 billion (yes, ‘billion’!)spam e-mails are dumped onto the Net daily. Specifically, personally-targeted span has trippled over the past year.

Earlier this week, Microsoft (MS) quietly announced that it will finally start to make good on a promise announced last May to open up its flagship productivity package, MS office, to third-party file formats.

MS has been under intense pressure from governments and other major users to make its Office suite compatible with the open source Open Document Format (ODF), popularized by free productivity suite competitor Open Office. A number of governments, agencies and educational authorities at all levels made a point, over the past two years, of announcing that they were considering switching from the MS Office system to the Open Office or other alternatives. Some actually did so — and suffered none of the evils MS predicted they would encounter in abandoning MS Office.

ODF support for Office will appear in Office 2007 Service Pack (SP) 2, scheduled for release sometime in the first half of 2009. MS has also specifically promised to include Adobe’s popular Portable Document Format (PDF) in Office. However, PDF is not specifically being promised for Office 2007 SP2.